ANNEX B - SAAS TECHNICAL DOCUMENTATION
ANNEX B.1 – INFORMATION COMMUNICATION: TECHNICAL ESCROW PROCEDURE FOR BUSINESS CONTINUITY
ANNEX B - SAAS TECHNICAL DOCUMENTATION
Introduction
This document provides standards and features applicable to the Compri SaaS (“Compri”) provided to Customer under the Commercial Agreement.
Table of Contents.
1. BILLING DETAILS.
2. DATA STORAGE.
3. PROVISION OF THE SERVICE.
4. SECURITY REQUIREMENTS AND AUDITS.
5. PERFORMANCE AND AVAILABILITY.
6. SERVICE LEVEL AVAILABILITY (SLA).
7. ALS MEASUREMENT METHOD.
8. BACKUP AND DATA STORAGE.
9. DISASTER RECOVERY (“DR”)
1. Billing details.
Compri's SaaS solution can be purchased by signing a valid Commercial Agreement with Compri.
The offer, in addition to the necessary implementation of services, may include various packages/modules.
Each package/module has a defined license fee, depending on its complexity. The prices for individual packages/modules, as well as the implementation fee, are specified in the Commercial Offer, which is drawn up based on the number of packages/modules the customer is interested in and the size of their organization.
The implementation fee is a one-time payment and must be paid in accordance with the terms set out in the Commercial Offer.
The license fee covering the packages/modules selected by the Customer must be paid annually in the manner set out in the Commercial Offer and will have a duration equal to the duration of the Commercial Agreement between Compri and the Customer.
2. Data storage.
All Compri data and infrastructure will be deployed in the AWS eu-west-1 Region (Dublin, Ireland), ensuring compliance with EU data residency requirements.
To minimize the risk of data loss from local failures and simplify disaster recovery procedures, all backups will be distributed to a different AWS Region within the European Union (EU).
Compri reserves the right to change the location of data within the countries indicated and will notify customers of any changes with at least 30 days' notice.
3. Provision of the service.
Versions : Compri will distribute to the customer the latest generally available version of the service.
Environments : Compri will provide all customers with a production environment; Compri will also use a sandbox production environment to validate and test interactions with customer systems (ERP and other services). Only sections 3 and 4 of this document apply to the sandbox environment.
SLA : The SLA section applies to the production environment only.
Security measures or access methods : To ensure secure authentication of administrators/users and proper access control, we use a passwordless approach. Single sign-on (SSO) with the customer's identity provider is recommended for authentication. Alternatively, we use email authentication via magic links. Each administrator/user must have a valid email address for this purpose. This is in line with the Data Minimization principle. Customer users will provide their first and last name upon first login.
4. Security requirements and audits.
To ensure the verifiable confidentiality, integrity, and availability (RID) of the service, Compri logs connections and actions associated with user IDs. This data is used only for further analysis and support case resolution and is retained for no longer than 90 days.
Vulnerability assessments are self-managed by the Compri team according to the following indicative schedule:
External Dynamic Scans: Quarterly
Internal Vulnerability Scans: Quarterly
Internal Static Scans: Quarterly
New infrastructure components inserted
5. Performance and availability.
To maintain system availability and performance for all customers, Compri reserves the right to restrict access to the API to preserve application uptime.
To provide customers with adequate advance notice of scheduled maintenance activities that result in system downtime, Compri will provide 1 week (7 calendar days) advance notice of all upcoming activities. If an emergency maintenance window is required, Compri will make a reasonable effort to provide 48 hours' advance notice.
6. Service Level Availability (SLA).
The Availability Service Level is guaranteed as indicated in the table below for Purchases during the term of the contract. In the event that the Availability Service Level falls below the threshold for the default service level indicated below in a given quarter, the Customer may be entitled to take the actions described in this document.
Components / Features
Uptime Guarantee (Availability time during business hours, 9:00 AM - 6:00 PM, Monday to Friday, excluding holidays in the customer's region)
Total Availability (time outside of business hours)
compri
99.9%
99%
7. SLA measurement method.
Service level objectives are measured as described below:
Compri runs test scripts using application monitoring tools on the production system to verify that the software is available. Test scripts run approximately every five (5) minutes, twenty-four (24) hours a day, seven days a week, for the entire contractual term of the software.
Scheduled downtime is defined as the time the solution is not available for periodic and necessary maintenance events in which Compaq provides notice to the Customer.
Type of service
Definition
Credit
compri
1 month of commissions
8. Data backup and archiving.
The following data backup and replication is guaranteed during the subscription period:
Data Backup: All Compri customers will have their data backed up daily. Backups are securely replicated to an alternate location (see data location), limiting data loss to no more than 24 hours in the event of a disaster at the primary data location.
Daily backups are kept for 21 days
Removable media is not used for data storage or backups
All customer data is encrypted at rest with AES-256
9. Disaster Recovery ( DR ).
Compri is configured with a DR site and a plan to switch to the DR site in the event the primary site is inoperable. The DR site is a replica of the primary site to provide consistent performance and availability. Compri periodically switches between sites to verify the functionality of the DR site as outlined in the DR plan.
Below are the key measures of the DR plan:
What is covered
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
compri
24 hours
Recovery Time Objective or RTO is defined as the time within which a service must be restored after a major outage or incident.
Recovery Point Objective or RPO is defined as the maximum period during which data could be lost from a service due to a major outage or incident.
ANNEX B.1 – INFORMATION COMMUNICATION: TECHNICAL ESCROW PROCEDURE FOR BUSINESS CONTINUITY
1. Purpose of the document.
This communication aims to transparently illustrate the technical measures adopted by Compri to protect Customers' business continuity in emergency scenarios.
These measures do not replace existing contractual agreements, but provide additional guarantees based on predictability, contractual good faith, and the protection of Customer data and processes.
2. Scope of application.
The following protections apply only to active Compri customers and are provided in scenarios such as:
Permanent cessation of Compri's activity;
Interruption of Compri services due to unforeseeable and extraordinary causes;
The Escrow procedure is described in this information note and in the attached appendix.
3. Measures envisaged.
In particular, the following operational protection measures are envisaged:
3.1 Access to the source code:
On a monthly basis Compri deposits an updated copy of its source code into a dedicated private repository ( Bitbucket ).
Each repository is tracked via a verifiable audit log (date, time, and version number) if necessary.
Each customer has a dedicated Bitbucket account with read-only access (disabled by default). If one of the above scenarios is activated, the account is promptly activated to ensure access to the repository as quickly as possible.
3.2 Management of the transition phase:
Compri undertakes, subject to available resources, to maintain access to the service for a minimum period of 30 days from the date of official notification of cessation of activity or interruption of the service.
During this period, upon the Customer's request, a technical representative will be made available to support the transition to an alternative system or for data extraction, at no additional cost.
3.3 Data storage and export:
Compri will provide, upon request of the Customer, a complete export of the data in a standard interoperable format (e.g. CSV, JSON, XML), within 15 working days of the request, if the platform is no longer independently accessible.
Customer data will be retained for 90 days after the cessation of the business, unless otherwise requested by the Customer or subject to specific legal obligations.
4. How to activate protections.
The above protections will be activated following:
Formal communication by Compri of the cessation of its business;
Failure of the service for a continuous period exceeding 15 days, without notice;
Written request from the Customer following communication of termination of the contractual relationship by Compri;
In any of the above cases, emergency measures will be implemented promptly to ensure business continuity.
APPENDIX
ESCROW TECHNICAL PROCEDURE
A detailed technical description of the Escrow system is provided below.
1. Monthly source code repository.
1.1. Procedure:
Each month, a complete copy of the Compri platform source code will be deposited into a dedicated repository in Bitbucket .
Each repository is tracked with an audit log that records the date, time, and version.
The backup process is fully automated.
1.2. Operating process:
Month N: Automatic code backup Buy → Bitbucket repository → Audit log generated
Month N+1: Automatic Backup Updated → Bitbucket Repository → Audit log generated
Month N+2: Automatic Backup Updated → Bitbucket Repository → Audit log generated
(...continuous cycle)
2. Emergency Access Account.
2.1 How it works:
For each Customer, a dedicated Bitbucket account with "read-only" access is created.
The account remains disabled during normal operation of the service.
The account is automatically activated only when needed
2.2. When it activates:
Permanent closure of Compri's business.
Service interruption for more than 15 consecutive days due to extraordinary events.
2.3. Access features:
Read only: no changes or deletions can be made.
Instant: No waiting for approvals or manual interventions.
Full: Access to all source code and complete version history.
3. Transition Support.
3.1 What we guarantee:
30 days of continued access to the current platform after notice of termination, to allow the Customer to operate in the meantime.
A dedicated technical consultant to support the transition to a new system (service included at no additional cost).
Complete export of customer data in standard formats (CSV, JSON, XML) within 15 working days of the request.
4. Technical Specifications.
Bitbucket Repository :
Platform: Bitbucket Cloud.
Backup: automated monthly.
Retention: 90 days after termination of the contract.
Access: Read-only clone with full Git history.
4.2. Audit and Security:
Detailed logs of each backup operation.
Emergency accounts created but disabled by default.
alerts in case of backup failure.
Monthly data integrity checks.
4.3. Data Export:
Available formats: CSV, JSON, XML (other formats on request).
Delivery: Secure download link provided to Customer.
Content: configurations, user data, reports, integrations.
Time: maximum 15 working days from the request.
5. Practical Example: What happens in an emergency.
Scenario: Closure of Compri
Day 0: Official communication of the closure to customers.
Each customer's emergency Bitbucket account is automatically activated.
Days 0–30: The Compri platform remains accessible to Customers.
Within 15 days: Customer data is exported and made available for download in standard formats.
Days 0–30: A technical consultant is available to support migration to alternative systems.
Up to 90 days: The platform's source code remains accessible on Bitbucket for consultation.
What the Customer can do:
Download the entire source code of the Compri platform.
Get all your data, delivered in an open, usable format.
Receive technical support to install or migrate the system internally or to another vendor.
Have sufficient time (at least 30 days) to organize the transition to an alternative solution.